The famous 1970’s American criminal Willie Sutton was once asked why he robbed banks. His succinct reply —“because that’s where the money is” —is still relevant today.

While old-fashioned heists may have been replaced by cyber-attacks, banks have had decades of experience building their defences, and an industry that has quietly amassed more than $US44 trillion in global assets, is still playing catch-up.

This is why APRA’s new Prudential Standard CPS 234 is forcing asset owners—such as pension and superannuation funds—to prepare for information security incidents, which will assist in a swift response in the event of a breach.

CPS 234 took effect from July 1, 2019 with many local superannuation funds and other asset owners still working to understand and meet the new requirements.

Cybersecurity breaches increasing and drawing public attention

While the relatively quick introduction of CPS 234 has been challenging, the need for the new prudential standard is clear. Cybersecurity attacks on trillions of assets in pension funds around the world are increasing.

Cybersecurity attacks on trillions of assets in pension funds around the world are increasing.

Earlier this year in the US, a Massachusetts woman discovered that her 401(k) retirement account, worth almost $US200,000, had been drained. Criminals were able to hack her email, impersonate her, and add a bank account to her retirement fund, a local court heard. And more recently, the Oklahoma Law Enforcement Retirement System lost $US4.2 million after hackers infiltrated an employee’s email account.

Such business email compromise (BEC) attacks may not be sophisticated, but they are common and effective. Malware, such as ransomware installed by clicking on a disguised link or attachment, is another common risk.

APRA has spent years warning the financial services industry that it’s only a matter of time before a bank, insurer or super fund falls victim to a cyber attack.

Similar cyberattacks are also being used against Australian super funds, which collectively hold more than $2.9 trillion and rank as the fourth largest asset pool in the world.

At least one local fund lost a six-figure sum to fraud last year after cyber-criminals launched a phishing attack against some members. The fund detected the fraud several days later and was able to stop the payments.

The incidents so far make it clear that, while complying with CPS 234 takes time and investment, it is crucial for the safety of Australia’s retirement system. The standard’s requirements are principles-based and compare well to other cybersecurity regimes around the world.

Financial services firms should also consider applying the Financial Services Sector Cybersecurity Profile (FSP) to shore up cybersecurity. Globally, the financial sector has led the development of the FSP, a risk-based common supervisory framework that incorporates pre-existing cybersecurity standards and best practices. Industry adoption of FSP would enable financial market participants and regulators to uplift cybersecurity while increasing regulatory harmonisation across the sector and globe.

What asset owners can do to increase cyber protection

CPS 234 provides a roadmap for asset owners to ensure they build a sound cybersecurity framework by asking the right questions. Those questions start at the top: who is responsible for cybersecurity? How does the fund demonstrate to its board that it has sufficient control over cyber risks? What are the fund’s cybersecurity capabilities and controls?

CPS 234 provides a roadmap for asset owners to ensure they build a sound cybersecurity framework by asking the right questions.

Building this framework can help control and minimise the fallout from ongoing cyber incidents and plan for worst case scenarios. Asset owners should know how money leaves their organisation, the controls they have in place to protect those movements and to regularly test and exercise them to make sure they are effective.

Other worst-case scenarios to plan for include losing the majority of a customer database and their confidential information, as well as a cyber-attack that cripples the organisation’s infrastructure, leaving just backups to restore functionality.

But it is not just internal cybersecurity that asset owners need to assess. The cybersecurity capabilities of third-party vendors and suppliers should also be a key focus given many asset owners depend heavily on external administrators, custodians, fund managers, multiple IT suppliers, and even creative agencies. Many of these organisations (few of which are APRA-regulated) in turn use their own external vendors creating a chain of potential weaknesses.

It takes skill and experience to know the right questions to uncover a vendors’ real approach to cybersecurity. However, cybersecurity risk assessments have traditionally been performed on an ad-hoc basis within businesses, and by people who often don’t have that specialist knowledge.

Digital disruption is ushering in a new level of competition across the financial services industry. But when it comes to protecting ourselves, and most importantly our customers, from cybersecurity risk, collaboration is the best strategy.


J.P. Morgan helps clients pursue their supervisory obligations such as CPS 234, by leveraging their global resources and knowledge of new cybersecurity regulations in other jurisdictions, and through their own journey to comply with CPS 234.